Community discussions

MUM Europe 2020
 
ericj
just joined
Topic Author
Posts: 1
Joined: Thu Jun 11, 2009 6:46 pm

IPsec tunnel VPN setup?

Thu Jun 11, 2009 9:30 pm

Hello everyone,

Has anyone ever got this to work between two boards running RouterOS? I've read, re-read, and tried just about everything I could come up with, and while I can get it setup for L2TP/IPsec and establish connections from a Windows box to the board, I cannot seem to get the boards to connect directly to each-other.

My assumption is that I'm missing some steps or doing something wrong, but since I can't even get it to try to connect, there is literally nothing in the logs to work from. In case this helps with diagnosis, they are both running RouterOS 3.24.

Here's my test setup:
------------------------------------------------------------
    Network A (192.168.0.0/24), Computer A (192.168.0.100)
------------------------------------------------------------
                              |
                           (Switch)
                              |
                           (ether2)
------------------------------------------------------------
     Routerboard1 (ether1: 10.0.0.1, ether2: 192.168.0.1)
------------------------------------------------------------
                           (ether1)
                              |
                           (Switch)
                              |
                           (ether1)
------------------------------------------------------------
     Routerboard2 (ether1: 10.0.0.100, ether2: 192.168.1.1)
------------------------------------------------------------
                           (ether2)
                              |
                           (Switch)
                              |
------------------------------------------------------------
    Network B (192.168.1.0/24), Computer B (192.168.1.100)
------------------------------------------------------------
There's some debate about whether I need to do some additional process beyond setting the IP addresses for each interface, adding a peer and policy on each board, and that the one set to "send-initial-contact=yes" will just automatically send the initial contact.

Trying for the simplest configuration where as much as possible is handled automatically, here's how I set them up after a reset:
Routerboard1:
system logging add topics=ipsec
system identity set name="Routerboard1"
ip address remove 0
ip address add address=10.0.0.1/8 interface=ether1
ip address add address=192.168.0.1/24 interface=ether2
ip ipsec policy add dst-address=192.168.0.0/24:any src-address=192.168.1.0/24:any \
  sa-dst-address=10.0.0.100 sa-src-address=10.0.0.1 tunnel=yes
ip ipsec peer add address=10.0.0.100/32:500 secret="test" enc-algorithm=3des \
  hash-algorithm=sha1 send-initial-contact=yes
Routerboard2:
system logging add topics=ipsec
system identity set name="Routerboard2"
ip address remove 0
ip address add address=10.0.0.100/8 interface=ether1
ip address add address=192.168.1.1/24 interface=ether2
ip ipsec policy add dst-address=192.168.1.0/24:any src-address=192.168.0.0/24:any \
  sa-dst-address=10.0.0.1 sa-src-address=10.0.0.100 tunnel=yes
ip ipsec peer add address=10.0.0.1/32:500 secret="test" enc-algorithm=3des \
  hash-algorithm=sha1 send-initial-contact=yes
Thank you for any help you can give me with this.
--
Eric
 
Krusty
Frequent Visitor
Frequent Visitor
Posts: 71
Joined: Fri May 02, 2008 11:14 pm

Re: IPsec tunnel VPN setup?

Fri Jun 12, 2009 10:24 pm

you have to setup IPIP or EoIP tunel and then setup IPsec to go through this tunel.

Who is online

Users browsing this forum: adam900331, gibi13, heidarren, TheSirStumfy and 58 guests